Last change
on this file since 1557 was
1557,
checked in by adehnert, 14 years ago
|
Patch for CVE-2010-1440 (and CVE-2010-0739)
Both are crashes or arbitrary code execution.
|
File size:
1.1 KB
|
Rev | Line | |
---|
[1557] | 1 | --- tetex-src-3.0/texk/dvipsk/dospecial.c.orig 2010-04-29 10:25:30.000000000 -0400 |
---|
| 2 | +++ tetex-src-3.0/texk/dvipsk/dospecial.c 2010-04-29 10:30:10.000000000 -0400 |
---|
| 3 | @@ -305,7 +305,11 @@ void predospecial P2C(integer, numbytes, |
---|
| 4 | int j ; |
---|
| 5 | static int omega_specials = 0; |
---|
| 6 | |
---|
| 7 | - if (nextstring + numbytes > maxstring) { |
---|
| 8 | + if (numbytes < 0 || numbytes > maxstring - nextstring) { |
---|
| 9 | + if (numbytes < 0 || numbytes > (INT_MAX - 1000) / 2 ) { |
---|
| 10 | + error("! Integer overflow in predospecial"); |
---|
| 11 | + exit(1); |
---|
| 12 | + } |
---|
| 13 | p = nextstring = mymalloc(1000 + 2 * numbytes) ; |
---|
| 14 | maxstring = nextstring + 2 * numbytes + 700 ; |
---|
| 15 | } |
---|
| 16 | @@ -828,7 +832,11 @@ float *bbdospecial P1C(int, nbytes) |
---|
| 17 | char seen[NKEYS] ; |
---|
| 18 | float valseen[NKEYS] ; |
---|
| 19 | |
---|
| 20 | - if (nextstring + nbytes > maxstring) { |
---|
| 21 | + if (nbytes < 0 || nbytes > maxstring - nextstring) { |
---|
| 22 | + if (nbytes < 0 || nbytes > (INT_MAX - 1000) / 2 ) { |
---|
| 23 | + error("! Integer overflow in bbdospecial"); |
---|
| 24 | + exit(1); |
---|
| 25 | + } |
---|
| 26 | p = nextstring = mymalloc(1000 + 2 * nbytes) ; |
---|
| 27 | maxstring = nextstring + 2 * nbytes + 700 ; |
---|
| 28 | } |
---|
Note: See
TracBrowser
for help on using the repository browser.